Designating data protection officer – new obligation on enterprises

Obligations related to data protection that enterprises and organizations must comply with would completely change since the effective date of Decree No. 13/2023/ND-CP on Personal Data Protection (“Decree”). One obligation is to designate a department functioned with personal data protection, to appoint personnel in charge of personal data protection (hereinafter referred as “designating the DPO”). Here is an overview of the regulations that businesses are required to comply with from July 1, 2023:

What is personal data?

Personal data is information that is associated with a particular person or helps to identify a particular person. Personal data includes basic personal data and sensitive personal data.

Basic personal data includes names, gender, personal identification number, etc and other information associated with a specific person or helping identify a specific person that is not sensitive personal data.

Sensitive personal data means personal data associated with an individual’s privacy that, when being infringed upon, shall cause a direct effect on the legitimate rights and interests of such individual, including information on health condition, personal location data, information on inherited or acquired genetic characteristics, information on accounts, deposits or transactions, etc. Therefore, sensitive personal data according to the Decree covers such an extensive scope.

What is designating the DPO?

Is one of measures for sensitive personal data protection. Accordingly, the DPO is designated by the enterprise or organization to carry out activities to prevent, detect, stop and handle infringements upon personal data in general and the sensitive one in particular. However, the Decree does not specify in which cases enterprises need to designate a department and which enterprises only need to appoint personnel in charge of personal data protection.

In which cases must the DPO be designated?

The Controller^[1], the Controller-cum-Processor^[2] (hereinafter referred to as the Controller); the Processor^[3] and the Third party^[4] when processing sensitive personal data have the obligation to assign the DPO.

With the scope of sensitive personal data and data processing activities specified in the Decree, many businesses and organizations in Vietnam will have to fulfill this obligation, such as banks, medical facilities, and other organizations that collect sensitive data of employees, customers, etc.

When must the DPO be designated?

From the commencement and throughout the sensitive personal data processing, businesses and organisations need to implement measures for personal data protection, including designating the DPO. It means that the designation of the DPO will be mandatory from July 1, 2023 for organizations and businesses that are having activities related to sensitive personal data.

However, micro-enterprises, small enterprises, medium-sized enterprises, and start-up enterprises (except for enterprises directly engaged in the personal data processing) shall be entitled to choose to be exempt from the provisions on assignment of the persons and department to be in charge of personal data protection for the first 02 years from the date of establishment.

Where the Controller, the Controller-cum-Processor, the Processor, and Third Party are individuals, it is not necessary to designate the DPO; instead, the individual will take this responsibility.

What are the responsibilities of the DPO?

In general, the main responsibility of this department/personnel is to protect personal data from infringement; including prevention, detection, suppression and handling of violations regarding personal data in accordance with the law; communicating with the authorities about related issues. However, the Decree does not specify guidance on necessary tasks that the DPO needs to carry out in order to fulfil its responsibilities, therefore, detailed instructions are required to be issued in the near future.

Referring to the EU’s General Data Protection Regulation (GDPR), some of the responsibilities that the DPO shall be advising the Controller/Processor on data protection obligations; supervising the legitimate compliance with laws on data protection; consulting on data protection impact assessments when requested; cooperating with and acting as the contact point for the state agencies on issues relating to personal data protection.[5]

Is it mandatory to communicate the information of the DPO with the authorities?

Yes.

Enterprises and organisations shall be required to communicate the information on such departments and individuals in charge of personal data protection with the Specialized Agency for the Personal Data Protection – known as the Department of Cybersecurity and Hi-tech Crime Prevention, Ministry of Public Security. It is mandatory content of the dossier for data protection impact assessment dossier and the one for assessment of the impact of data cross-border transfer.

In the case that the Controller, the Processor, and Third Party are individuals, it is also required to communicate the information of such individual.

Are there any risks if enterprises fail to comply with the regulations on the DPO?

The Decree stipulates that agencies, organizations and individuals that commit violations against regulations on protection of personal data, depending on the severity of their violations, may be disciplined, or face administrative penalties or criminal prosecution. Accordingly, the breach of the DPO regulations is a violation of data protection regulations, and the subject must hold the legal responsibility. Currently, there are no specific penalties, but, with the reference to previous drafts, the expected sanction could be severe, having a direct and significant impact on the business results of the enterprise.

Therefore, the designation of the DPO needs to be implemented from July 1, 2023 in order to avoid possible legal risks./.

PrivacyCompliance

#Nghidinh13 #personaldata #DPO #dataprotectionofficer #sensitivepersonaldata

[1] “Personal Data Controller” refers to an organization or individual that decides the purposes and means of processing personal data.

[2] “Personal Data Controller-cum-Processor” refers to an organization or individual that jointly decides the purposes and means, and directly processes personal data.

[3] “Personal Data Processor” refers to an organization or individual that processes data on behalf of the Personal Data Controller via a contract or agreement with the Personal Data Controller.

[4] Third Party means an organization or individual other than the Data Subject, Personal Data Controller, Personal Data Processor and Personal Data Controller and Processor that is authorized to process personal data.

[5] GDPR, Article 39.